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Dear Mr. Young: 

This further responds to your Freedom of Information Act (FOIA) request 
of 3 January 2010 for the following documents (cited in the footnotes of 
NDS DOCID 3417193 provided to you in FOIA Case 60251): 

1. Unknown author, Fifty Years of Mathematical Cryptanalysis (Fort 
Meade), Md. NSA, 1988. 

2. DDIR files, 96026, Box 4, Drake Notebook, Proto Paper. 

3. Ibid, Unknown Author, draft history of COMPUSEC, in CCH files. 

4. Interview, Norman Boardman, by Robert D. Farley, 1986, OH 3-86, 

NSA. 


A copy of your request is enclosed. As stated in our initial response to 
you, Item 1 of your request (“Fifty Years of Mathematical Cryptanalysis”) was 
processed in a FOIA request received prior to yours. That processing is now 
completed and the document is enclosed. Certain information, however, has 
been deleted from the enclosure. 

Some of the withheld information has been found to be currently and 
properly classified in accordance with Executive Order 13526. The information 
meets the criteria for classification as set forth in Subparagraph (c) of Section 
1.4 and remains classified TOP SECRET as provided in Section 1.2 of Executive 
Order 13526. The information is classified because its disclosure could 
reasonably be expected to cause exceptionally grave damage to the national 
security. Because the information is currently and properly classified, it is 
exempt from disclosure pursuant to the first exemption of the FOIA (5 U.S.C. 
Section 552(b)(1)). The information is exempt from automatic declassification 
in accordance with Section 3.3(b)(3) of E.O. 13526. 

In addition, this Agency is authorized by various statutes to protect 
certain information concerning its activities. We have determined that such 
information exists in this document. Accordingly, those portions are exempt 
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from disclosure pursuant to the third exemption of the FOIA, which provides 
for the withholding of information specifically protected from disclosure by 
statute. The specific statutes applicable in this case are Title 18 U.S. Code 
798; Title 50 U.S. Code 3024(i); and Section 6, Public Law 86-36 (50 U.S. Code 
3605). 


Personal information regarding individuals has been deleted from the 
enclosures in accordance with 5 U.S.C. 552 (b)(6). This exemption protects 
from disclosure information that would constitute a clearly unwarranted 
invasion of personal privacy. In balancing the public interest for the 
information you request against the privacy interests involved, we have 
determined that the privacy interests sufficiently satisfy the requirements for 
the application of the (b)(6) exemption. 

Since these deletions may be construed as a partial denial of your 
request, you are hereby advised of this Agency’s appeal procedures. 

You may appeal this decision. If you decide to appeal, you should do so 
in the manner outlined below. NSA will endeavor to respond within 20 working 
days of receiving any appeal, absent any unusual circumstances. 

• The appeal must be sent via U.S. postal mail, fax, or electronic 
delivery (e-mail) and addressed to: 

NSA FOIA/PA Appeal Authority (PI32) 

National Security Agency 

9800 Savage Road STE 6932 

Fort George G. Meade, MD 20755-6932 

The facsimile number is 443-479-3612. 

The appropriate email address to submit an appeal is 

FOlARSC@nsa.gov. 

• It must be postmarked or delivered electronically no later than 90 
calendar days from the date of this letter. Decisions appealed after 
90 days will not be addressed. 

• Please include the case number provided above. 

• Please describe with sufficient detail why you believe the denial of 
requested information was unwarranted. 

You may also contact our FOIA Public Liaison at foialo@nsa.gov for any 
further assistance and to discuss any aspect of your request. Additionally, you 
may contact the Office of Government Information Services (OGIS) at the 
National Archives and Records Administration to inquire about the FOIA 
mediation services they offer. The contact information for OGIS is as follows: 
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Office of Government Information Services 
National Archives and Records Administration 
8601 Adelphi Rd. - OGIS 
College Park, MD 20740 
ogis@nara.gov 


877-684-6448 
(Fax) 202-741-5769 


Sincerely, 



JOHN R. CHAPMAN 
Chief, FOIA/PA Office 
NSA Initial Denial Authority 


Ends: 
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2. DDIR files, 96026, Box 4, Drake Notebook, Proto Paper. 
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John Young 


1 


Doc ID: 6649792 


TOP SECRET 


Fifty Years of Mathematical Cryptanalysis 


CLASSIFIED BY NSA/CSSM 123-2 
DECLASSIFIED ON: ORIGINATING AGENCY'S 
DETERMINATION REQUIRED 


~ Nm R^UjdbdU l e To Contractors 

LACON te 

THIS DOCUMENT CONTAINS CODEWORD MATERIAL 

< TOP SECRET 

Approved for Release by NSA on 01-23-2019. FOIA Case # 58202 

The opinions expressed in this article are those of the 
author and do not represent the official opinion of 
NSA/CSS. 


Doc ID: 6649792 


Fifty fears of Mathematical Cryptanalysis 

(1937-1987) 


by Glenn F. stahly 
August 1988 


e 


lb) (1) 
lb) (3)-P.L. 


86-36 





Doc ID: 6649792 


(b) (11 

(t)(31-50 USC 3024 li) 
(b) (il-P.L. 86-36 


Contents 


Preface 




I. Introduction . 

A. Background .... 1 

B. Technology .. * . 1 

C. Mathematics . !!!!!!."!!! .*. 1 

D. Public Cryptologic Research’*!.*! ... 4 

E. Prognosis . ... 6 

11 ' M A? h S?rel 1 wS«l E iinMn:r haniCal «*«>““»-**!!!!!!!! !] 

B. Teleprinter Cipher Machines **!!!!!!.*!! . 8 

n* SfS^Sw 0 *? 8 cipher Ma chines ....•.!!!!!!*. “ 

. Wired Wheel/Pin Wheel Compound Machines . . 


V. Computing Power . 

A. Special Purpose Devices 
. B. Digital Computers .... 


VI. Public Key Cryptography .. 

A. Knapsacks .... * . 

B. RSA ... 

C. Exponentiation .. 

D. McEliece's System !.'!. 






















Doc ID: 6649792 


VIII. Slamming Up 


Appendix I: Mathematicians in cprptology in the 1940's and 1950's.. 56 

A. British Mathematicians in WW II Cryptoloqy it 

c' Mathematicians ^ ^ II cryptology . It 

S' !!SL!h^ the NSASAB Mathematics Panel, ?o 1965 ! *”' 59 

D. Mathematicians Attending the First SCAMP ... “‘fin 

E. Junior Mathematicians of 1951 ... . 60 


Appendix II: ENIGMA 
Appendix III: TUNNY 


Appendix IV: Hagelin Machines . 

Appendix V: Electronic Cipher Machines 
Appendix VI: Special Purpose Devices 

Appendix VII: Public Key Systems .. 

A. Knapsacks . 

B. RSA .. 

C. Exponentiation .!!!!.*!.’“ !! “ * 

D. McEliece's System 




References 
Index .... 





















Doc ID: 6649792 


~ , lUt J b& LH&l UMBRA LA eO I fIC HOOOH 


r 


Preface 

Although this paper concentrates on mathematical cryptanalysis, it 
is by no means intended to disparage the work of or results produced by 
nonmathematical cryptanalysts, who excel in their own right and fre- 
^Y* nt i y Produce results that mathematics could not. Many of them work 
side by side with the mathematicians and often lead them to success by 
formulating cryptanalytic problems in such a way as to permit the appli¬ 
cation of abstract mathematics. In fact, they not infrequently succeed 
whe / e / pure reason" fails the mathematician and leaves 
him (or her) floundering. But it was absolutely essential during WW II 
that mathematicians and nonmathematicians work hand-in-glove, and only 
because of this cooperation were they so spectacularly successful. 

wm iS it By J / n : te J ntion to su 9 gest that manual cryptography 

will disappear or even diminish in importance. I believe that will nev- 

tber ® fore we must continue to train and sustain manual 
cryptanalysts and to provide them with technological support (comput- 

1 inguistics, and engineering) just as we do the usual¬ 
ly more mathematically oriented machine cryptanalysts. 

ter* ^yPtanalysis is much more than merely counting let- 

subtracting numbers, or computing logarithms. It in- 
cal auhWf! P SS ati ° n cryptanalytic problems of advanced mathemati- 
thenrtf b f h ?* P robabil ity theory, mathematical statistics, group 

the al 9 ebra « combina torial theory, and many more. Some of 

he world s foremost mathematicians have been connected with cryptanaly- 

fe 4 John P ractl ° ners , (••9-, Alan Turing) or as consultants 

ititisticians Jockey. haVe SUCh outstandi ^ mathematical 


cal c^tanaW^f^nir J diacu ®;: ln 5 his surve y an Y work in mathemati- 
althou^h w^ h h ?? ne by thB United States or the United Kingdom, 

ries thrlh lh.1 glimpses of the capabilities of a few other coun- 

lia and Can l „<->P win ? ows ° f Third Par ty relationships. Austra- 

t Saco ? d Parties ' likewise have made contributions 
assets K4 ySi 24?f at are n0t discuss ed here. We can also 

their e^?nhf yP ^° grap iC 4 a *\ lls of most forei 9 n nations as we attack 
their enciphered communications, but it is hard to tell how closelv 

c5?t e to ar ^.To C w te o d r ?>f ir ^analytic efforts and even more d^ff^ 
cuit to guess how or if they use mathematicians. 

world”in^he 1 Yre„ t:U ' and th ® U - K - a ^e far ahead^of the rest of the 
nate sunerioritv t-M®’“ atica l cryptanalysis, not because of any in- 
home ?n P !,o -v, 1 y \ th i S area but because the second World War drove 

leSson to he^t^irt® of “ atbemabics f °r cryptanalysis. We took that 
Ltr- " ! heart and nurtured the seeds that were planted during the 

mathematiS* q to ntly V T n ° W haVe fifty years of experience in applying 
doesn’t? :0 r - Cr yPtology. We know a grea t deal about what works and 


i-3 
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CT 'go w T c —w ocaw 
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WhiCh in tUrn 8tifflUlat - d -w and better 

with a ca den ic* ^ th e ro a tic i a ns W s 1 o w ly* ^ut* Vure 1 v n *^ emati ? al cryptology, 
and publishing them openly m the nrw-.J?!* discovering our secrets 

the fact that mathematics has muchtool^r SSJSTi al ?° flighting 
bound to diminish. I fervently hoDe that VI< «T pt ? ’ 0ur lead is 

spire our younger mathematicians a ? nd c'rvntJn i l0 a.° k _ at the past wil1 in “ 
pa ck, and ° ur manage rs to help them do so. lyStS to stay ahead of the 

in locaTin^do^nt 0 / In \£e ' l “5 °t \ _ 1 

I used extensive!v t aie j ^ssi^ied Mathematics Library . ^TETcn 

Collection^now 0 located 3 (only a tejnporarilv ab i G h USe . ° f ,£* « ^yo^gio 

due"to 

how to cdhvert m'y -computer fills to 0*55** u ^! al ° f time showin g 
?S; y me°f my DiStakes ' PrintJ S SST*# 


(b)(31-P.L. 86-36 
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Fifty Years of Mathematical Cryptanalysis (1937-1987) 


I. Introduction 



I 


A. Background 


The driving forces behind the development of mathematical cryp¬ 
tanalysis in the last 50 years have been twofold: the critical need 
for intelligence during WW II and since; and the tremendous pace of 
technological growth in the communications and computer fields. Intel¬ 
ligence requirements, of course, have led to the provision of the man¬ 
power and monetary resources that make it possible to mount sophisti¬ 
cated cryptanalytic attacks. Technology has both created the cryptana- 
lytic problems and provided the means to attack them, and the particu- 
la f for “ s ta5cen by technological building blocks used in cipher ma¬ 
chines have shaped the directions of cryptomathematical research. This 
paper is a survey of the development of mathematical cryptanalysis and 
its relationship to technology. 


The history of manual cryptology, essentially the only form of 
cryptology in existence until the era between the world wars, appears 
a s „ ucc * s ®* on of rather specific new systems followed by "general 
°f * hem : Some general principles did emerge (e.g., the use 

"ThJ h Go?S t Sui»? iC K 1 ^ t i er f ^ encies as described by Edgar Allan Poe in 

b t by .?, nd lar ge cryptanalytic science consisted of ad 
* h ° 1U * io "\ to ®Pecific cryptographic systems. This was true also 
* r t ‘J e Wbesbstone and Kryha mechanical cryptographic devices, but with 

kT” W ° rld WarS 1 and 11 of such generic electromechani- 
ff* 9 raphic components as "wired wheels" and "pin wheels" came 

nr?nr.^i e o « s ° PP n# tUnity and nece ssity to develop generic cryptanalytic 
p inciples. Of course, each specific implementation and each particu- 
o°„ f % general cryptographic principle require some specific 
f 5 he general at back on it, but nevertheless there are 
hasic approaches to wired wheel problems that are quite different from 

^?.. baSiC , a f pr ° aChes to pin wheel problems. The basic approaches to 

c ^ y P ta / lalysls and to presently emerging cryptographic 
techniques differ from both of these. 


B. Technology 

i-uo 0 r, H i£ le ^7 S new warfare techniques (the Blitzkrieg), developed be- 

3 ^ d 8e ff nd wor ^d wars, demanded new command and control 
. 1 j 1 * 8 , and radio communication technology was ready to do the 

job if adequate cryptographic security could be maintained. The Ger- 
tbe co “»ercial ENIGMA electromechanical cipher machine 
f°“ ld be ^P^ved enough to satisfy tactical requirements, and commit- 

tha * course - They later developed electromechanical 
^ ™i pher . machines (TUNNY and STURGEON) for higher-level commu¬ 
nications. The United States, over the objections of William F. Fried- 
nrnn, used for some field communications a modified version of the C-38, 
calied the M-209 (Army) or the CSP-1500 (Navy) , that was built in this 
country under an agreement with Boris Hagelin, inventor of the C-38. 


- 1 - 
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was bi!SE W Nl S G ^ he ™ C v tr ° me , Ch ?" iCal SIGABA ' which 

Si e GABA a11 and eXploited ^ring the w'ar^but ® (a^pfrintlyf^o? 

oped S t| h il«c\ te EN?GS e ^nH iC 4L,v nd ^rPtanalytic techniques were devel- 

?«sv.? sectioni is*«gi u si ) oi 

SWS.T *The h bomVe^ ’were f ° “u^d ^ £ 

vacuum tube electronics while* the 3 VnrrXfif 1 *'^, troinechanical with some 
tubes and some electromerhanlrai he C0L0SSI had a fe w thousand vacuum 
under the K C0L0SSI were put together 

neers in England (and ^ter here) and thel® °5 the best •»9 i " 

pear to be the "missing link" in the jLSilS* did J - " fact work - They ap- 
(a la Charles Babbage) ? to EDVAC fthe JT?i“ tion of computers from theory 
Machine) ; see riQO i (1211 he fir b Programmable general purpose 

HiFicn/icno nfr i nm us , | U |- 1 l J • ^ (b)<3HPl 86-36 

the D B o y int h \h 1 .l t %,\Vil'^;L5°>° Unicatl °" s technology hed progressed to 

alike. r SIGINT cryptanalysts and COMSEC designers 

- IWL U5k UNLV I . . . ,(bK3H».L 86-36 


were' greatly influence? ^y*previous *«lVctnMu!d» cipher machine designs 
a state of affairs observed Zlwhire ° ipher shipment, 

dix IV) . Electronic technolSSin Ihe ° f Appen " 

tubes, which could not easily be uqA H h !« 194 °. ■ waa based on vacuum 
wheels were another matter- tL«« < e ° ula , t “ wired rotors. Pin 

in a circle were well adsntoH ♦- < n ^ a i n i n 9 multiple anodes arranged 

over, much great*f le xib iTity° for U eont °5 pin wheels * 

"wh eels" was availa ble with electronic logll 9 8t6pping of such 



Tfiio www umdra — a e owi e—w oeotr 


(b)(3FPl 86-36 
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and a number of U.S. cipher machines were designed to use '"Koken" regis¬ 
ters, as they were called in this form. 



same time, general purpose electronic computers were being 
investigated for cryptanalytic applications and NSA (actually its prede- 
cessors) was soon heavily involved in computer design, [ 181 ], [ 211 ]. 

F * iednan had introduced IBM punched card machinery into cryp- 
tanalytic and cryptographic operations before WW II, and it was heavily 

by Array cryptanalysts throughout the war, [10]. 
reauirempn^vii' 43 S b 74 the *I SA R&D or 9 an ization indicated that COMINT 
million f ^o4t naly eV C ec ? u L i P lnent had grown by a factor of about one 
million since 1945. Since then communications volumes and speeds have 

~ Wi . th neW electronic technology and new technics 

C slonlri d d - alm ° S u cont inuously. This puts great pressure on de- 

ri^es annL J . C oh Y ino 0 w^?? y ' Wh ° today DUSt soinehow produce key bits at 
must anVw™ Pillions per second, and also on cryptanalysts, who 

same teohnol volunes °f data. Computer designers have used the 
that in electr ° nic circuitry to develop machines 
math Q ™t^4 d 4 bill i ons of Pinary operations per second, and cryptanalytic 
mode™ Jinh 8 " 8 h t^ e USed SUCh ca P ab ilities to develop new attacks on 
genuineli P new TdAa 1 " 6 ?' Each , new generation of supercomputers elicits 

of old ideas ai?h h tt ta *. CkS (n f fc ffierely the faster implementation 
tGm{V. d n id t v Xt L h gh that sur ®ly takes place also); cryptanalysts 
can Obtain t0 th ? li f it the capabilities of any new tools they 
can obtain as they grapple with previously intractable problems. 

bv de T c h reaied re ^ S « e t d *°v5 el ® ctr °nic components has been accompanied 
to desian and h?,^d th ® result that ® an y countries can now afford 
ouslt ^Jh» e b ^ ild heit 4 °, Wn cr yptographic machines whereas they previ- 
ciai y cinher manh4n 0n “ ercia ^ cry 5 t0graphy - Moreover, many more commer- 
thai ^ve? Thf r ® offered for sale today Py many more companies 
inni»r m n b V This means that today's machine cryptanalysts can no 
a??av of nea?w a ?nn° n 3 ^ ^ OWn cryptographies, but face instead an 
nshs 7 fmd n * arly 3 °° commercial machines which may be used by our tar¬ 
gets, and an ever increasing number of indigenously designed (and th6re- 

mation n ^p W hLl Cry ^ t0graP ' l li e !4’ Zt is als ° true that more fonns of inf°r- 
w?th^P^nd^^ ,\ r r S ^, tted today; cryptanalysts have to deal not only 
and h dlo1^f? f i 1 ?! messages") but also with speech (both analogue 
terictyp 1 'f f d C t lmile ' COmpUter data ' telemetry, video, and other eso- 
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nol of . MIT ^ieves, [193], that today's computing tech- 

9 ives the cryptographer an overwhelming advantage over the cryp¬ 
tanalyst, and argues his thesis by means of an example. In my opinion, 

lSn™« Pa 5S y b - t his a PP roach is entirely too simplistic and 

tiona IvSL. eal rJ i ? S ° Pr 2?*i Cting high-speed, high-volume communica- 
i i < Zt neve rtheless true that modern technology is mak¬ 

ing cryptanalysis much more difficult than ever before. 


C. Mathematics 


(BM3)-PL 86-36 


in his career William F. Friedman consciously set qu£ to sys- 
lt ? y V an ?, he laid the foun dations of mathematical crjp- 
° Wn Work and wri tings (though’he was not a 
mathematician) but by hiring mathematicians (e.g., Solomon Kullback and 
“ S * nko J'> a “°ng his first assistants whin the Army's Signal iSt^? 

Chamber h®®*®!?* < UP under bis leadership after Yardley's Black 

«-», W dis banded in 1930. This trend yas given added emphasis 
years of World War II because a number of noted mathemati- 
tinalvtic work £® re t0 bec ° me noted > wisely were drawn into cryp- 
Shaun^ Wyliedn* England? 0 and | Alan ^ ^ SS 

? »pUrTl 0 r n a th : (See paragraphed'Ind B 

worked in Probably incomplete list of mathematicians who 

ini work VXiil dU ^l ng bhe war.) Moreover, it was the pioneer¬ 

ing work of the Polish mathematician Marian Rejewski, ri921 that was 

(see°p S araaraDh L V'*** . Brit T ish and American successes against ENIGMA 

ciDher Se ^ on 1 JI ) • Tt has turned out, of course, that 

(althiuoh thii atin.? a ^ rly 1 8U8Ceptible to “athematical analysis 
these in f Sit 8ol , ved or exploited), and the work of 
tnese men firmly established the value of mathematics in cryptanalysis. 

outstandin 9 contributions to cryptanalysis made by these math- 
“ ‘ ‘“J caused^both the United State, end England to recognize Se 

tsjs; z £~rWi sc ^ t “ alv -—‘ 

;a2*“sS5“ li -» 

erat*on uStil it "rS* 5®u“fanatics Panel, which continued in op- 
° n xintil it was disestablished by then Director Admiral Gavler in 

on She ESSES tl5 e ] C ° ntains a list of mathematicians w£o hadse^veS 
nlniv T D tiCS Panel , up t0 1965; Lt is reproduced in paragraph C of 
JSrl wemenroH. 0 ™®^ 1 ^ 8 ° f , the Panel were taken seriously .and many 
cal Journ??® h JS aCti °"! include the initiation of the NSA Techni- 
ell»bPr S l , formation of the CryptoMathematics Institute. 
Ltdd B ,Ti?i' r n. ere ° 1S0 ° f gre5t assistan ce in our efforts to recruit 
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At about the same time that .SOAt? was formed, NSA also embarked on 
a recruitment program fQr. mathematicians to supplement those who ^stayed 
with the Agency, .upon' leaving military service. Some 70 were recruited 
in 1 951. by Such mathematicians as Marshall Hall, Jr., and I 

T who had been recalled to active duty during the Korean conflict. 
Most of these new people had Masters Degrees in mathematics, and about 
half survived a clearance process that for the first time included the 
polygraph. This group, known as the Junior Mathematicians, has made 
outstanding contributions to cryptomathematics. However, the project 
was a one-shot effort and it was not till 1963 that a continuing hiring 
and training program for mathematicians was established (in the interim 
there was uncoordinated but fairly generous direct hiring of mathemati¬ 
cians by various elements of NSA) . A list, derived from memory, of 
those Junior Mathematicians who were finally cleared is contained in 
paragraph E of Appendix I. Nearly all have now retired. 


In 1952 NSA also initiated what was to become the annual SCAMP 
(for Special Committee Advising in Mathematics, with "P" added for ef¬ 
fect? see [61], p. 3) program, a project in which prominent mathemati¬ 
cians are cleared and brought together for a few months in the summer 
to work on difficult cryptomathematical problems arising at NSA. A 
great quantity of high quality work and many useful ideas flow from 
this project, as well as contacts valuable in recruiting mathematicians 
for full time employment. Appendix I lists the nongovernment mathemati¬ 
cians who attended the first SCAMP session. 



A few years later, in 1959, NSA established a "captive" think 
tank, the Communications Research Division of the Institute for Defense 
Analyses (IDA-CRD), located in Princeton, N.J., [152]. Many prominent 
mathe maticians, among them A.A. Albert, J. Barkley Rosser, Gustav Hed- 
lund, 
rary 


land Donald Knuth, have worked at IDA-CRD on tempo- 
lone -or two year) appointments and a number of equally talented 
ones are. there on permanent appointments. IDA-CRD has administered the 
gCAMP jJroqram since about 1960. Such general cryptanalytic techniques 

] as well as a number of specific 


cryptanalytic suet 
yestment. 


produced by IDA-CRD, have amply repaid the in- 


|bM3)-P.L. 86-36 

Through the efforts of Frank Raven, 1963 saw the beginning of the 
PI Cryptologic.’ Mathematician Program in which 20 to 30 high-quality 
mathematicians -are hired each year to enter a three-year program of com¬ 
bined on-the-jj5b training tours and formal classroom training in the ap¬ 
plications of mathematics to cryptanalysis. Most of these mathemati¬ 
cians come tfS NSA with Masters Degrees; some have Doctorates and some 
have only Bachelors Degrees. This program has been a remarkable suc¬ 
cess, with graduates now working in all parts of this Agency, including 
executive management levels. 


The Junior Mathematicians and the Cryptologic Mathematician Pro¬ 
gram have not been the only sources of mathematical talent for NSA; 
fewer than half the Agency's mathematicians belong to these groups. 
The others have come as direct hires to R5, XI, G4, A5 (or to predeces¬ 
sors of- these) , and to a few other organizations, and they too have 
made significant contributions to mathematical cryptanalysis over the 


(6XD 

(bX3)-18 USC 798 
(b)(3)-50 USC 3024(1) 
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mathematicians S'tt^wSldf^At" thV “nd^of ^ga?* lar 9 est employer of 
sons with Bachelors Decrees in f 1987 • ther e were 273 per- 

grees, and 69 more with Doctorates for^'tota?of M 7 With Masters De- 
at NSA with the job title „ tota i of 587 persons working 

supporting mathematical cry^tanalysis^ There* CtUa ^ ly doin 9 or 
ber of persons with advanced d^nLc ’ < The f!! was also a sizeable num- 
title, such a. "Computer Scl.nti.t-, -K.n.““*“ r j ° b 

D. Public Cryptologic Research BJUusc;* 

CbH3)-S0 use 3024(1) 

—t^thematical theory S&fc/U 8 r - ° f « !«*»*? * 

call public key cryptography) ^thSt "°" Becr ® t encryption, which they 
cryptology among research triggering extensive interest in 

increasing iSSrtSISrof^2l!S J fh“ “i 1 ° Ver the world * Also, the 
has fueled a great deal of mathe™^ 601 ? f ° r conununica tions technology 
turns out to «^rlap^Sp2^“SSJ ZX?* that field ' whi ^ 
siderable extent (see Chapter 4 of n 7 n c mathematics to a con- 
—°k s (®-g-r figs/) shoJThat 0 »r°^?Z»;.. r^* ral recent papers and 


machines, ^nd^here 3 i^ much^f ore ign^nteris t coaunercial cipher 

now devoted to cryptology, m addition ir i the annual conferences 

dependents discovered by university cryptography was in¬ 
years after GCHQ's James Ellis fi«t 5 Ti C . anSf [86] ' sev eral 

idea has led to new areas of , it: in 1970 ' t 92 J- The; 

needed for operational problems in cr VP tana lysis that will be- 

begin to use' publickey fystels^ The fact^that c Wtographers; 

actively studied and results nubH-hJIi <1 X that th ® se areas are being, 
it much more difficult for NSA* cri? 0 Mtt ra “lcia/ literstu « " ln 
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Another aspect of today's technology that will greatly affect cryp¬ 
tology is the rapidly increasing power and decreasing cost and size of 
microprocessors. Many new cipher machines today are based on micropro¬ 
cessor chips, which means that the cryptography is in software form and 
can thus be changed easily and inexpensively (and frequently, if de¬ 
sired) . Whereas cryptography implemented in hardware can be expected 
to remain in use for quite long periods of time hence justifying some 
time and expense to develop attacks, software cryptography can be re¬ 
placed overnight which means that attacks must be developed under time 
pressure, if at all; it may not even be cost effective to attack usages 
of software cryptography that change too frequently. On the other 
nand, it is more difficult than most people realize to devise secure 
cryptography and therefore we may expect frequent software changes at 
least occasionally to produce highly exploitable systems. Identifying 
and diagnosing them will be the problem. 

E. Prognosis 

Mathematical cryptanalysis is in a time of transition caused by 
technological changes in hardware and by unprecedented public interest 
in cryptology. Huge volumes of enciphered communications are on the 
and volumes are increasing exponentially, providing more op- 
portunities for cryptanalysis than ever before. Of course, formidable 
obstacles must be overcome in order even to mount cryptanalytic at¬ 
tacks: collection technology must be developed to cope with these vol¬ 
umes; methods to select vulnerable transmissions must be devised; sig- 
nal analytic technology must be modernized; and adequate numbers of 
mathematicians and cryptanalysts must be trained to deal with tomor- 

laaain^Tnit 61113 V BU J th l fc eVer the P osition of cryptanalysts — 
nology! 9 ^* few steps behind communications and cryptographic tech- 


° n tb ® other hand, technology is a two-edged sword. Supercomput- 
ffct° f ^^!f" e f ation , ha " e been eagerly embraced by cryptanalysts; in 
!^^ Cr P^ nalytiC ., needs have driven th ® development of computer hard- 

and ar ® largely responsible for the U.S. lead in that 
bombes o^ww* n T °°' r p?gial Purpose m ac hi ne s h a ve b ee n hui it re.n. . 


-zz—-- 1 . Th ® challenge is for cryptomathematicians to remain no more 
than a -few steps behind the cryptographers. 
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II* Mecha nical and Electromechanical Cipher Machines 


£ i 2L“? nd "° rl , d War has baa " ve ^ 

%“i 4 r-M --- 

sketchily, j numSer of^ mechanical F ^ edaan discussed, rather 

Wheatstone manually-operateddetice^? 9 theKrv?* “/* S ^ Ch 35 the 
vice. Neither of these was -~,n„ V* * nd j® Kl ? yha spring-driven de¬ 
significant general cryptanalyti^^echnTm^^ n ? i f h f r gave rise to an V 
the development of wired whLl nic ? ue ®- Friedman then discussed 

took place in the United Stalls :og 1 raph ^ particularly that which 

and M-209 devices^e M^Og is tt. U S i™*^***? 1 * Hagelin B ‘ 21 
produced for Army field use; it is J? ^ gnation of a mac hine 

Hagelin C-38 device described in »« ear i^ identical with the commercial 
tion of the Japanese purple machino P6ndlX ^ V j‘ Fried »an made no men- 

MASS 1 ™ - 1 SS2TSM: 

printer cryptograph .£"“ 0 *, ?™f? tion Ln 1917 ° f “-ti»> tape tell- 

" : - ,ll, '" lw " 1111 ^ * .(b)(3)-P• 
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B. Teleprinter Cipher Machines 
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I III. Electronic Cipher Machines 

No single electronic cipher machine, nor even a» small group of 
them, seems to be responsible for the development o£‘any significant 
body of cryptanalytic theory. Rather, it is the generic technology it¬ 
self that has shaped the course of cryptanalysis of -such machines (see 
Appendix V for an example of electronic cryptography)’. 

There are at least two reasons for this. First, the theory origin¬ 
ated in U.S. and British COMSEC studies that began before any electron¬ 
ic cipher machines even existed and continued .throughout the develop¬ 
mental phases of a number of equipments. Much of it led to design revi¬ 
sions before production began and so cannot tie attributed to anything 
that was ever actually built. A considerable portion of the theory 
grew out of abstra ct mathematical research not specifically re lated to 
anything tangible. \ 7 -- 


-»- j: -J—__- _ 1 I I paper, [88], is an excel-. 

lent presentation of the way in which electronic technology shaped U.S.* 
COMSEC and, thus, the cryptanalysis of electronic cipher machines. 


( 
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IV. Other Techniques 


There are a number of cryptomathematical techniques and theories 
that were not developed in connection with specific cipher machines 
(and some that were developed within compartmented problem areas whose 
details cannot be discussed here) that I believe are* important enough 
to mention in this paper. As NSA's mathematical population grew over 
the years, the amount of classified cryptomathema'tical activity in¬ 
creased and diversified so much that it is now extremely difficult to 
survey it comprehensively. I have therefore triejS to identify math¬ 
ematical developments that are general and will have or have had last¬ 
ing technical consequences for cryptanalysis. I haye included also sev¬ 
eral techniques important to data processing in general, such as sort- 
^ hose cr YPtanalytic applications have warranted considerable clas¬ 
sified development internally. Most of the above-can be categorized as 
® r s ^ at i sfc i cal methods or algorithms, although there are a few 
wnich it is more convenient to consider separately. 

Statistical and probabilistic questions and methods pervade cryp¬ 
tanalysis. The cryptanalyst continually wants ’to know how likely some 
observed or hypothesized event is, or where to.’ set thresholds for sta¬ 
tistical tests, or how to program a computer to recognize plain text; 
the variations are endless. These questions.nearly all relate to the 
“2 1 ?“ la jL ion * of data <>■■*■' algorithms) carried out or to 
cr yp tana lyst or by a computer. To call certain 
cryptanalytic techniques "statistical" while others are called "alqo- 
. lar 9ely a matter of emphasis.* and personal taste. Near- 
iy ®ll statistical cryptanalytic techniques involve algorithmic fea- 
2?5V cryptanalytic algorithms/have some statistical fea- 

egorizations dgments in thls matter have resulted in the following cat- 
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first Proteges^ pibiis^ad^ his 3 Jioneeiin 0 " Ku i 1 ^i ac3c ' ° ne of Friedman's 
Cryptanalysis", [142],ihich hasnow " 9 " Stat *stical Methods in 

to the public from A.^ian Park Pr ese is bailable 

eral aspects of probability and Kul lback;sketches some gen- 

probability distributions of interes? ifl^v^ deSCCibeS briefl y a 
and then dispusses a number of crvotanalJt^i 7 to . 1 cryptanalysts, 
tions (he us es some concepts f-£ yP tanal yt , ic applicati ons of these nn- 

plain text ^fregency 0 data‘7or sever^ ^ tabies * nd charts ' 
5iM, POi . S f° n distribution for various oaramfi-e!- lan . gua, ? es and graphs of 
he the first formal cryptomathematical J values. This may well 

mathematician or mathematical statistic! 30 An ! erican professional 
one of any nationality. atistician, conceivably the first by 
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B. Algorithms 


An algorithm is an explicit step-by-step method for accomplishing 
some specific task, a method that can be bu ilt into a machine or pro¬ 
grammed on a computer. I --—— 
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v. Computing Power 

J l S 1° P«£on. these functions. Sometime a?o“l ”5P 

riSWSS - “onV~«e^s%^Ts n ? 

s^;; ^UJssssrjss^^ 

war to make freguencv count. iS! Were also con structed during the 

sis. That Dossibilitv wl ®®«ging digitai computers for cryptanaly- 
lysts and erS?oliie f oresi ^ted £?yptana- 

only benefittinq NSA but In ? ho f „? t , ( f ee [209 3 and [211]), not 
lead we enjoy 5 if compute t“U™ 9iVln9 “* United Stat « the 

(bX3)-P L 86-36 • 


A. Special Purpose Devices 


any mShi^”uUt°tf pSSSTa D ” i = < * < SP °> ■ 15 use d at NSA to refer to 
( cryptanalysis. Perhapsfirlt SPD^am Vhf' U ? U ?.2 a 7 ° ne related to 

*>3B'm tfiieisTifSlnrfoafafog^Moh ^ 

^u:r 0 ^ 

lowed by the This device was fol- 

_paragraph A of section ?r/ P both 


small SPDs to do such "general" special^ Vf* Variety of relatively 
counts of various kinds anpu^beiSS mi«vf n ? iOI “,? S making frequency 
tape), combining two datastream ?- ® uppl / ed UBuaiiy on punched paper 
sum of two teleprinter messages^ 0 * e £ Such”.^ 4 ^ bit - by - bit “ od 2 
lytic aids. a number of spd! were also h,H ?«. * achin ® 8 wer e called ana- 
erations once all cryptovariables h»*°K bUllt t0 P erfor ® decryption op- 
logues of the cipher machine«f ^ 5 been recov ered; these were ana- 

Japanese communicators. systems used by the actual German or 
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it operated at 5000 characters per second.' 


19 51, TW [29K B £nd th?plan^\ r \Ut 9 time N w S a A s [ reall y. AFSA a 't the time) in 
handle all our requirements. They too werfJh t® several of them to 

^^-^i5S_£5£L_^_5_5E?fdof h 5000 t charactars h Der e rfBnnni Ca r— 
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However, the suDercoLni-er« ,f? ne prediction s of the demise of SPDs. 
enough to cope with all the crvn^n generation have never been fast 
some cases, Seeking problems of their era. in 

much work even for the computer to System ^^ires far too 

others, the number of messaaes in » any reas <?nable time; in 

breaking them all would occunv "Vh part *. cular system is so great that 
work; in still other cases ^n ^pn iTi^V 0 th f exclusion of other 
would not be cost effective Most inmJrV?ni? eaP that . uslng a computer 
ly decryption of messages in iil.r mp 'or*antly, a requirement for time¬ 
waiting for computer solutions even tho£h r hh ySte \ USageS may P recludG 
the computer. The answer in " thc! ^ h the work would not overload 

enough priority) is to build soecT*l th ® problem has high 
attack the specific problem in * 1 ^ Tp ^ se co ®PUter designed to 

as was COIXDslus (although cowsISI tiSed lut J°“£* iS SUCh 3 “chine. 

than anticipated!,. colossus turned out to be much more flexible 


(bxn 

(bM3H8 USC 798 
(b)(3)-50 USC 3024(1) 
(bX3>-P.l 86-36 






Doc ID: 6649792 


(bMi) 

(6X3VP.L 86-36 


TOT flECRBT UMBRA- tU CO W i e 



nals SPDS ha , V ® nOW been lar 9 el Y superseded by remote termi- 

rloSntlv^ hi d«ivf2I neral P urpose computers of various sizes and, more 
tion have ‘ Analo< 3 ue Sp °s used solely for decryp- 

sonSl computed Part been replaced b Y terminals and/or pe?- 

B. Digital Computers 

t i ai J I r.|^A 54 4. t t h 5! gi L t Vl 

of what be S o a m a e Vy ATuS r °r d tt he ,F r0 f OSal and el " l5a ^ :e<J development 

c?unchin, .VmlmhtV^ £or s =i»«ific numbe?- 

not cryptanel^ticVpplication^t^enbinjecte* 1 in*thoee i1 early f yeara tly ^ 

retiredl wii-h i i (1 - P resident of Control Data Corporation, now 

Packer } it UM °L*Z 1 ** X * Meader and the backing of John E 

and still later many of^he bL? 8 ?* 8 ^ Wh . ich later merged with UNIVAC, 
Data Corporation which in turn spun ol^Cra'y^"rch^Inc! f °" C ° ntr01 

sJS/S’ri'Tss P’ 
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(usin^oct'.f^J s f e b r y 9 n^Te^d ‘“* ” aChl "° 

was done in real time at the consSe o 6 , Whl * doi *9"- Drugging 
great advance when assembly lan^ages lerl int^S ^ i teelf ‘ It was a 
to late 1950's, but it was a bloTto IS introduced by; IBM in the mid 

1958 they were no longer allowed to debuaatth 9 ^ 3 *® 6 ^ Whe , n in 1957 or 
puter operators ran the programs and oave 0l ® ; instead, corn- 

numbers !) for debugging purposes 9 thea memory, dump (in octal 


providing remote terminal cornedter^a c c eS? b ®ing- carried out in 
in a series of systems: ROGUE which resulting 

used BOGART; and RYE, [182] which p I; * R0B ROY, which 

were upgraded later to UNI VAC 494?. < ™™AC 490's that 

also Lm? “ a r ua J "yatem cryptanalysts, r 7 services; were furnished 

the most important 1 *recr^rements o/the Analyst \ 9nawi co saristy one of 
puting power. ne analysts — easy access to com- 

th Pe ^ C ?“ PUterS ^^®it ,y day. deP They d too^reoui OI d ^ main " fran,es ' the 
the late 1950's and the ioso'o +.Z*L too, required easy access, and in 

to be written quickly; th^re just was no^ra^*^ th ® y wanted programs 

hands-on access to the computed To aet ”® tical way to give analysts 

most analysts learned to pro-am in a.lK*” 8 written in a huJry, 
time in the early i960'si in fortram assembly language and then (some- 
®ing, as this was caUed, becam^offl^ C0B0L - °P e ^op program¬ 
time and efforts were made to provide £ ly 8anct i°ned at about that 

bugging runs of FORTRAN programs d All turn "around time for de- 

those for operational runs 9 were ! transactions, as well as 

decks with programs to be debugged or n n*^ teC l w Ver the c °unter"; card 

counter located in T spaces Mt"was no/t-htr,^ b ® m were taken to a 
they were logged in and passed on * the, l naaed T * of course) where 
were run, the magnetic tape outoS? °! PU ?®5 0 P erat °rs. After they 

ers^ 33 gue " ed U P according to priority to^tKi-* 9 J ine P rint ers where 
somet- , output ’ which was often qGite leLthv Lt 4 . P rin ting. Bookbreak- 

- not 'sraz.'z 

years c£ 

i«r. ) U=hn“o V " b a ut 9 l n i e th al B u P ch rP i°n Se "ST*" o'f Proven'hard-' 

loo^ad, .^.JiVwpabUi tST^l£^S. featUr * 3 as i -tru«Ion 

erations was a step backwards ’ nany others. The concept of op- 
The original idea was to treat rarotc* cry Ptanalyst• s point of vieS 
hour turnaround cycle, so that on^^JS. as a factory running on a 24 

il he 24 hour* later in th^ J° h , 5 over the counter 

analytic re W s a e y arch U pu'Sosfs! 11 t0 ° ina c c eaaible *to 'use' e^lTfoTc^p? 

guired its^ firs^wim^^er^b^^CD? 8 ! ^ 1959 > had in i960 ac- 

system specifically designed to give ^ese^ers 
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As plans were made to upgrade IDA-CRD's 1604 to a rnr fisnn / 4 -h-* 
Jnd r uL S ? Pe f C °? P . U K ter) ^ the was made to do away with card decks 

§S|?sis^£:ii 

ln°°LfZ" 1 "lJ..j °V, C . RP , t . n the JV™" ° f »«> and even the best dyed- 
rity" of his card Hor-Ve d V G ^ enn Stahly) soon abandoned the "secu- 

flne Y , f iDA-^^ptputVr tSSSSST ^ 2 ' 5 ' 9iVeS * brie£ OUt ' 

| "l |t? £ g* y “ r “ * w ° * 5 (the soviet problem) and G 4 - 

inSiaV in^ll^on^^ve^gr^ ^° LKL0RE gating syst^ ^ro^f these 

ass! Siiifs: 

S szzs-Jsrshz lyS^CSS 1 ,® 5 1"TS-“ 

for. W (signals analysis) fnr m ifk.* ji increase is needed now 

(COMSEC evaluations), y and for RsTrei^rch^ 9 PRC problem ) ' tor ™ 

networking 6 and°for ^wmrtu^dmS^S!^ superco “P ut ers, technology for 
technically possibl e P to fulVm^SE computers has emerged, making it 
having .upSrSo^uSiJg Jew*™ii2£? dream of 

takes money, though and'it will to V hi her own desk - That 

fully realized, butNSA ifmnvinnl ? , a years before the dream is 

able numbers of personal TomSi^ S , in that direction. Consider- 
spaces, local area nfets (LANs) P arP In £,^ Cs) ? re n ° W present in working 
are; being considered for m/kiif t-S P in 3 feW offices ' a "d plans 
PCs -via networkiha on e the su P er computers accessible to the 

viding adequate’ 1 computer securUy^e^t^^f ° f p ~" 

at the time this paper is being written Problem far from solved 
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V 1 . Public Key Cryptography 


mathematical *tn Hutu'S,depending orf^tra^Jf / S6e Appendix VI1 ) are 
to invert in general c n L transformations that are difficult 

discipline caJJ^^^omputational^coniDlevTtv 0 ^ 61 ^^ h3Ve asserted that the 
good introduction to Complexity theorv)hf ? re f e [111] contalns a 
of public key methods, and that^ Np-hard iC v° the unde rstanding 

basis for such systems. For instance C-ho ® 3 * h ? uld be used as the 
known to be NP-complete (and therefore ^P 33 ^ Problem is 

should lead to a good public kev c^ntoCaf in gei ? eral >' and thus 
J-OSOP^IV. y P 1C Key cryptosystem according to this phi- 
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proposed^nes^nd^os? already' ' b -° th newl y 

^i der all the t echniques ‘ of ™»™ ^ n- 


aooacxs unique to the COMSEC^arena^^The “ r ! 3 Ji. Umber of generic 

systems today have features difXr^ 15 reasons for this are that U.S. 
tional cryptanalysts ard ° n most of th °se faced by opera- 

consider types of attacks'that mav^^?"*' C0M ^ EC evaluators must 

°gy but „r e P llk.ly to becoi fe *7lb la ??„?, 1Cal " Uh *“*»*'■ techno" 
be considered because cipher future years. The future must 

built, are likely to be in use Jor manv v S PO , Sed ‘ t0day ^' if actually 
tions they protect may also need protect I t0 • Come- The communica- 

5na? 

costs is*therefore an^important 
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Vlii. summing Up 

the elect^me^haVi'ca/era* the” electronic S tra hr tnd C S Pt ° 9raPhlC periods ' 
putational) era that has just beoun Tn S?' and the computer (or com¬ 
piler machines were based on wired ^heels era ' ci ' 

possessing certain properties that led* to ‘< Plf l wheels ' components 

n^ Ch ^ Certain of mathematics were awliSSS ty £ eS ° f attacks to 

phisticated electromechanical i b i More and more s °- 

course, especially in 31 ®® si 9 ns evolved over the years of 

cryptanalysts and \he most advanced C hard^ar^? t ?® n m ° St so P his ticated 
the cryptanalysts not only to detllon technology. This forced 

Jlsojo press for ever fasti att3CkS bUt 
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that“dS'LaSdS'issfflyrs it Ls ais ° 

problems. Not only did cipher machlni? 1 *? bl ?° many cryptanal y tlc 
use well beyond the introdSr?*™ ® achines °{ Previous eras continue in 
systems were vulnerable' to C laq<?irai newer ideas, but some of the newer 
time we find that S^Ml^V^^thod.. Moreover, at the present 
lems in other fields^ notablv*!„ t ** chniques are .required to solve prob- 
cations technology has turned l3> ana * ys * s where modern communi- 

and previously unseen signals into^ 

always stemmed° direct 1 ^ f rom P rrvl^ ytiC advances over the years have 

forms have been dictated 7 both bv the tU-hS*! 1,0 advances and that their 
ware, software, and a iaoH?h!l 5! technology (in the forms of hard- 

and by the technology Available tZr mlnlnn^T^ th ® cryptography 
computations. i have found no bvIh!! P 1 tlng data and P er forming 
being developed in the absence ^ ^ of cr yPtanalytic techniques 

lytic problems. In the .nviro^elt ° r SIGINT cr ™tana- 

pare for the future by incraaRinr, i J believe we can best pre- 

tional expertise and by closely monifc^l^ of Mthe “ ati «l and computa- 
in these areas and in th. domain^ 

cryptanalYtlc°indarah°D.°r ° n * ‘ t,p that ,hou id he l p ai ialirt»ta 


W~;^: t i=: i ^aourtfs L to‘“^. P * U .ff ^ l t faA - the reqnl- 

ahead of (if‘possible) the public P rrlli- ,Wlth £ at ’- a minilnu,n ) or stay 
which may take advanta’g*- of all* the and those targets 

broadening range of W l?«tiJ!^ as wit h the 


(b)(3)-P.L 86-36 
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App-ai, I. Mathematicians in cytology in th. 194 „. s .„ a 1950 , s 
A. British Mathematicians in WW II Cryptology 

is B h i V Sh oat ^e®a h ti S cians k who° worked 2 at' GCHO 96 ! W6St fflentions a number 
is obvious that he has not idSKSed\n™? h f Uri 2? W ° rld War 11 ’ It 
SL^P*!* 1 ® 1 ** 1 * at time, and he aav In mathematicians involved 

field? 0 

-1 Here are the 


Barnes or thos e West calls mathematicians: ' 


sit y" l,pr ?fessor of Mathematic s at Edinburgh * 

'(b)(1) 

_(b)(3)-P L. 86-: 


Harold Fletcher, -the Cambridge mathematician., (p. 180 ,, 
of Statistic G s°°a d t West” 1 vit-gin 1 “ t (““jsl, 1 ”"''' <»• *«>. i«£„or 

"ity" (p. 19lJ; t0n ' later Profess or of Mathematics at' Cctnell univer- 
mathemaUcljns^cm 'c^ldgff •(p? 1 ^| r )*V ° n * '° f ."thnij. distinguished 

• * I* 


90-91°, 1 r >Yn *P°«.-’ll, talented,..** unorthodox, mathematician" (p. 
»lty.. C ?p. r9 2 e 05 H ) C | g ? tia - “ laW Pf ofeasor of Mathematics at London Hniv.r- 


burgh°°?p. ld 19 ^° h1 '' " lat6r Pr °f«*or of Machine Intelligence at Edin- 
,p. l?i, *■ "University lecturer in Mathematics at Cambridge" 

from Sri^;^;*'' °™ ° f "three distinguished mathematicians 
T. Tutte, cne of "the mathematicians" (p. 191) . 

£?S3J2& ™ distin- 

bridge.'b^p,"i92j h / tGhead ' "inter Professor of P Ure Mathematics at Cam- 


haun Wylie, "brilliant topologist" (p. igij _ 
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ina 6 ?h by ™ opI “2 0 research S 'groups t ® chnical P a Pers pro- 

War ([31 ^ is one volume of on ENIGMA problems dur- 

nnf h ° rS Were found among those papers with HV«--i The - followi ™J names of 
“ at J 1 «®«ticians. m sSue cases indication of which 

s were given q nTT , 0 »ses # no first names or avph wj 

as--*• •“-M; s 


Howard H. Campaigne (later with NSA); 
Church; 


A. H. Clifford; 

G. F. Cramer (later with NSA) ; 

Reed Dawson (later with NSA), 

Joseph Eachus (later with NSA); 

R. B. Ely; 

Howard Engstrom (later NSA Deputy Director for r&d), 

Gilman; 

(later at NSA, anc^ .then’in NSA consultant); 

• • * * 

/I . a. _ • . _ 


. /# ....... (b » 3 >- PL 81 


. — —** '•w.iouitancj ; 

Robert E. Greenwood (latef ‘at’ n<?a ■ 

-. .ia «r at NSA, and then an NSA consultant) ; 

_| (later at NSA, and then an NSA consultant); 

ttt . 


Robert Hampton, III; 

Hanson (nay be Eugene Hanson, who attended the first SCAMP,, 
J* H. Howard; 

Dr. H. L. Krall; 

Aubrey w. Landers; 
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Menzel; 

Edwin E. Moise; 

Pearsall; 

W. R. Willis; 

W. D. Wray (later with NSA). 



Sianal mtli n ^ cur “ ory seareh through technical papers of the Army 
during andshortTv 8 J“ °f its accessors, for the per IS 
who had Sritten nan e r« ^^ XI ' tU f? ed up onl V a few names of authors 
that ti»« J™ pap ® rs fny mathematical content. Many papers of 

S5«. A Se ifft of ^v^hJ' JY*- Slgned ° r attributed to ?heir aS- 
thus quite short: mathematicians and possible mathematicians is 


Jane Brewer; 
David Cowan; 


Daniel Dribin; 
William H. Erskine; 
Bernard Gechter; 
Walter Jacobs; 


Solomon Kullback; 
Frank Proschan; 
Frank Rowlett; 
John N. Seaman; 
Abraham Sinkov. 


C ‘ o* the NSASAB Mathematics Panel, to 1965 

who Sl'SZL™ a up li ^U re !m UC Se h d?t’. ° £ f -athenaticlans 

CaffIllations are as of the Jast dat.ofPan.liJrvlo.): “fersnce 


A. A. Albert, University of Chicago, still serving in 1965; 
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Stewart s. Cairns. University of Illinois, still serving in l 965 , 
Technoiow, Vtm^eWin^Vs Institute of 

A. M. Gleason, Harvard University, still serving in i 965; 

Marshall Hall, Jr., Ohio state University, still serving in 1 9 65; 

A ' H8dlUn,i ' I “- CRD - served May 1 960 to 1 9 63; 
in l 9 «r n R ' Ki " 9, Univers ity of California at Berkeley, still serving 
Richard A. Leibler, IDA-CRD, served until l 963 , 

H. Jerome Keisler, University of wi.oonsin, appointed in 1 , 55 , 
Saunders MacLane, University of Chicago, served until „ ai . 
erockway McMillan. Bell Telephone ^oratories, served until i 9 .i, 
John Riordan, Bell Telephone Laboratories. served until 1962; 

tut. orTe^hno'l^’w^d M?U 1 196 h 1 a ? r " an ' 19S3 -=«>. California m.ti- 

ciauTT R ° S ” r ' DniVer8ity " WiSC ° nSln ' >tl11 »«, 

Claud. Shannon. Bell Telephone lahor.tori.e, served until l 958; 
serving & “"^ersity of California at Los Angeles, still 

served°Mtil' lSM^’ (I,anal Chairna "- 1958-64), Princeton University, 

John von Heumann, Institute for Advanced study, served until l 9S7 , 

• R- Wilks, (Panel chairman, 1 , 54 - 5 .,. served until l 96 < 

WSA Executive Secretaries to the Mathematics Panel were: 

William A. Blankinship, May l 95 7-Jun l 96 l, 

Daniel M. Dribin, Jun l 9 61-Apr l 965 , 

Ralph w. Jollensten, appointed Apr 1 96! . 

D. Mathematicians Attending the First SCAMP 

(the first 1 SCAlff° S „ e ere° n90Verran “ nt " at henaticians who attended SCAMP 52 
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Iunclassificd 'HGf wj t i il i wi uj,b IJij[ l 

( A ‘ Adrian Albert, Professor, University of Chicago; 

Truman Botts, Asst. Professor, University of Virginia; 

nn™LTh\i™,f 0 T S ™p°'7,“ r and Head apartment, University cf 

Dick Wick Hall, Professor, University of Maryland; 

State^oUege 1 ;’ Hanson ' Pro fessor and Head of Department, North Texas 

sity; G * A * Hedlund ' Professor and Chairman of Department, Yale Univer- 


John C. Koken, Research Assistant, University of Illinois; 

Richard A. Leibler, Sandia Corporation; 

Lowell J. Paige, Asst. Professor, University of California; 

A. E. Roberts, Jr., Engineering Research Associates; 

Donald c. Spencer, Professor, Princeton University; 

ject, George Washin^t'on ^nfveVs i ty* nve 8 ^ or » Logistics Research Pro- 

James A. Ward, Professor, University of Kentucky; 

Charles Wexler, Professor, Arizona State College. 

were: AFSA personnel (most of them mathematicians) at SCAMP 52 


1 


Patrick P. Billingsley, AFSA-341 (an R 51 predecessor), 
Charles Bostick, AFSA-206 (a Pi predecessor); 

Jane Brewer, AFSA-412 (a COMSEC element); 

Howard H. Campaigne, AFSA-34 (an R5 predecessor); 

Reed B. Dawson, AFSA-341; 

Daniel Dribin, AFSA-206; 

Joseph J. Eachus, AFSA-35 _ (an R*D .elemertt)';. 

_ | AFSA-206; 

Bassford C. Getchell, AFSA-206; 

Andrew M. Gleason, AFSA- 341 ; 

- TPP 00 ORBS 1 UIlDRA^LA e OWlL NUUUfJ - 


,(6K3)-PL 86-36 




Doc ID: 6649792 

[UNCLASSIFIED/, ~ 


■XOB.S SC B Bg OHDRft Ut e OW TC MJUUN 


■Jr.* AFSA-34? 


Arthur Levenson, AFSA-206; 


Robert H. Shaw 


■ATSA-i4 ("possibly a Security*.ei-4tfent) ; 
/ AFSA r 412r.‘ ' 

—i* * ’ . . • * 


. s>- l°M3FP L 86-36 


AF6A-206; 


AFSA-344 (possibly an administrative person). 


E. Junior Mathematicians of 1951 

year and ^ntere^^n^ut^Turina^h^ 0 ^ 1 ' 16 ' 1 during the 1950-51 school 
first to the Train?ng U s^ooi L«ted 8 T e ? h ^ i? 51 ’ They were 
downtown Washington nr -„V . oca T®, at that time on U St., nw in 

had appeared. Initial' tVaining tas^nroviS^h 38 * group when enough 
cryptography and then elemental? c^tan^v-i- ^ lf " study courses in 
es especially designed for them u followed by some cours- 

was moved to Arlington Hall Statioi C ■ ° f that year the ^up 

named NSA) was located. Station in Virginia where AFSA (soon re- 


S3*is 

®“ aticia p s suffered through the birth nano^oWh l" d the Junior Math- 
out, in fact, that about half of theorS,m 9 f f that effort - It turned 
ance. However, it was kent 9roUp was eve ntually denied clear- 

eryona, .nd because * hcp.s o t deajin^av- 

P°nr^a ed t ?L 9r ° UP —and^occaaionai “acturVs TSTSfaXTlSZ 


anc. process would* tltos*forever"^^^ " aS re “ lized that tha clear- 
?°£ ed V °P era tional spaces where a had been clea red were 

job training tours were arrancreH r f es °f short (two-week) on-the- 

given a series of fulltime courses on thi* ° f th ® “ at hematicians were 
£5?~. essing equipment while the bh ®, J 1 ** 8 of IBM and other data 

enigma, STURGEON, andl Tc^t^n.V \°° k full -time courses in 

half of the group to ^take eacS ser iel^f” 3 ^ 315 ( the plan was for eac h 

tan*l" Followln S this, everyone Was denloved but 1 that didn't hap- 

tanalytic or data processing Y tour a-nn ^„ y ® d to some longer-term cryp¬ 
to various operational organizations "• A ® 311 Were a33 i»ilated in- 

Bostick? Raih^Jonensten d Arthur [IT meir ' or V ‘^ith the help of Charlie 

thi ns u he nanes of most Of the 1951 Jun°n'r and . Til . 1 l ia ® Lutwiniak, con- 
through the clearance process: * 1 Junior Mathematicians who made it 
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( 



Charles Bostick; 

• 

Pansy Brooks; 

[ 

• 

• 

• 


Frank Dresser; 

[ 



Sydney Fairbanks (not a mathematician); 
Lowell ("Jim") Frazer; / •* 

• 

Evelyn Garbe; 

• 

Fritz Goepper; 

• 

• 

Lane Hart, III; 

• 

Robert Highbarger; .* .* 

• • 

John Hodges; 

• * 

. 

. • 

. 

• • 

--- 

Ralph Jollensten; 

Richard Kern; 

" ---- 

• 


Edward Magnuson; 
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Paul Oyer; 
Carolyn Palmer; 
James Pettus; 


Leonard Schlauch; 
Marvin Sendrow; 
Robert R. Smith 
William R. Smith; 
Glenn stahly; 
Albert Verbits; 
Bernard Witt. 
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Appendix II: ENIGMA (see [44], [158]) 

machine'to* be ^sed'to' any ” as the first wired wheel 

about 1925 as a commercial o/'erinq a^vhich ?E P ^ a . ed in German y 

versiorf 0 whlu:h^ < had ‘ different; 2 ^/irin^s ^SiSLS^S 

wheels 6 andbto^^npiit-tn^put^^um^i^s^H^Th * - "^erTbetween 32 

ENIGMA 8 vra^ ^eing^s^tn^tSI? 9 ^ f hy 

were probably indicators tn nJl ,^ 8t ® ix letters of aa <=h message 
vices developed a source within the rVl' ^ French intelligence ser- 
try of Defense who^ suppli^^em °5 the German Minis ' 

tions for ENIGMA and, subseouentlv COde clerks ’ instruc- 

daily key lists (but no wirings). V re ^ lar intervals, with copies of 

the JS?i£^5JaS? to'TA've l00 r k »n^ t i t nt a . S l*ll ind ^"i^^ d «l«ed 
mission to give the infonnafinr, -. enc i? intelligence then obtained per- 

common attack on the proble£ G C allies and to suggest a 

School, the predecessor of CS 4 ( Govei fnment Code and Cypher 

"tiled their copied oftLSoSl? “ / £ . irSt Chance ' “ “ e y 
Of cooperation. (Gordon Welchman however** respond to the offer 
more effort against ENIGMA* before^ U believee the British had 

French; see [6] ,pp. 7i-Uo Th a 7 rZ ^ they indicated to the 
who accepted with enthusiasm - nr1 French then approached the Poles, 
work. However, all cratanaiJti Share results of their 
1932, those in charge d? Pol Lsh that point ' 1 Se P 

cians, Marian Rejewski, Henrvk Zvaalikf 9 U I brou, 3 ht in three matheraati- 
dle of October, 1932, ReiS^ki was n,^\ d Roz y cki * In the mid¬ 

formation in the doci^nents ?^ OB ?he P French W lh1 T l" 1 ™* and ' usin ? in ~ 
stellung indicator system worked he Ja* fhi ^ i h ® howed how the Grund- 
op a theoretical method fo? recoverinawJo? ^ *! bout a fflonth to devel - 
that message settings (of the thre^wh^i wirings based on the fact 
produce the six-letter indicator L ^'*rL 5* f nc;i P he red twice to 
(this was the Grindstellung indicator system) be 9 innl ng of a message 

tion. D «“?«ioM&v“fand“’ZVl U ° rlt "•• d * d « out the oaloula- 

era) . Then Reje„ s \i wae often ^T LbL ^ V ‘‘ eVe " Wlth " oder " 
vided by France, tta,e cont.ll™ , ffiore d ° cunen ts that had been pro- 
tings (wheel orders, Grundstellino whee?°« ^ schedules of daily set- 
message settings, and pluq board ™nneor } tln . gs used for enciphering 
orders were being changed only every three ionths iVl? is 1 tiM ' wheel 
months provided by the German • ?, ®? nths# but by luck the two 

All this information pekiSS ^ k" d *“ erent *»*•«. 

for Rejewski to recover wirinas of^h^^r b * ? im P lified sufficiently 
the end of December, 1932. 9 he tbree wheels and reflector by 
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The ENIGMA as it was at that 


time looked like this: 



_INPUT 

<~l ~ 

<-| KEYBOARD 
<-| 

<-1 _ 


_OUTPUT 

->l 

->| LIGHT 
-> j PANEL 


I 


to the h machine in^ny ordlfr "(but nS: ba® kt* COuld be inserted in- 
(Umkehrwalze) which had inpSt-output Ther ® was a reflector 
were connected to each other in c ° nt 1 f cts on only one side that 
which controlled the stepping of thJ’whflfS had one notch °n it 
vanced one position for S h ls ' The fast wheel, f, ad- 
wheel, M, did not advance for an encioh^ ° f / letter; the medium 
off of its notch or unless M itself wan ^ ^ unless either F advanced 
which events M advanced one position ^ ow " notch, in either of 
vance for an encipherment uJlfss M advan^ S ~ W * h ? e1 ' S ' did not ad- 
case s advanced one position. The refier?«J °if f its notch ' in which 
cipherment of a message (and in fact £as ? 0t step durin 9 en- 
tween the "maze" and the incut 5 no Vsettabie) . The stecker be- 

the operator but remained Constant ^rin^the®^ ? 0 ? ld be chan 9 ed by 
sage; it consisted at this time of l a th enc ipherment of a raes- 
and 12 points exchanged in pairs P connected straight through 

wheel (by which"the wheel ^ou Id bV se^ in' a alphabet rin 9 on each 
beginning of a message) was rotatable s P ec i£ ied Position at the 
and could be put at any one ° the core of the wheel 
that the same letters appeal at the* hen A, ThU ,?' settin g the wheels so 
ent settings of the uiHm,. II the benc h marks would produce differ- 

(Ringstellung) were different * Onle^n th ® al P habet ring offsets 
turr^and^ for £& 

ately. De P r8SSing th * a ^° caused 


sUccess on ENIGMA 9 and h GC B & 1 cs Sh (l a ter F rIn Ch J*?* infonned of the Poles' 
partly successful work against it risa? a ccelerated its own 
man Army, Air Force, and Navv amin^Iih ENIGMA was used by the Ger- 
though rather heavy, it was sYall enoLh government elements. Al- 
operated from batteries so it w, for . one P er son to carry and it 

continually improved thiir J°h “l 1 * usa ’ The ^mans 

ge or ENIGMA by changing wheel and reflec- 
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s's 

tor system several times • bv incre^?™^ 1 ® 65 '’w by chan 9 in 9 the indica- 
from 12 to 20 • bv dovi JL lncreas i n 9 the number of steckered letters 

some 185 machines they found that the4« J d a f ter su PPlying Japan with 
used as Japan planned to LnV™ Y®f sions w °uld be insecure if 

their feet and Japan did not* rrJt ■m? 18 ' 2 u^* . They therefore dragged 

this reason or not Jan J Xh "T**" it: wanted - whether for 
design, [23]. ' P did build at least some ENIGMAS of its own 

of so^V^ther Lirld wheel machines"* ° f k ?° Wn US ® S ° f ENIGMA and 

against them. 1 machinea as of March, 1945, and of attacks 
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Appendix III! TUNNY (see [11]) 

during” the eecend" wS?i“S« "S" 1 ” 0C ” Hbl9r developed by Germany 
teleprinter ’.SS.' M j'“U& 

hey? ^ve^o'ft^e^tet w^el/ £0£T £ “ ^.”1 

oT.ssis£x: sr~ ^ ss^-sa.^ 

called the five AouImImUmPm wh.^ " eSK**? bits >‘ The British 
tating wheels "Psi wheels" and^ J k f 1 wheels", the five hesi- 
trol "Mu wheels". ' d th two wheels involved in motion con- 

were “irS^ “■ 26 ' and 23 "Pl"=" and 

53, and 59 pins. o„ e ' m » h «?l W o “ n5 /“f^ively 13, 47, 51, 
The 61-wheel stepped one position* fH 5 an< ? the other had 37 pins, 
the 37-wheel stepped one position if character enciphered, and 

at its current setting b^ did not step if^hV 1 *?*^ ° perative pin 
erative pin. The Psi U h«ic J c ® tep if the 61-wheel had an inop- 

%$:•} ( h r 

trol?° 1Ue °» • SSr’SSi' r“r 


SZ-40 - 

SZ-42A - 


SZ-42B - 


- no other source; 

' Sf^-SESS^ — 


„ U “t£ t^pSS ““ 
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Appendix IV: Hagelin Machines 

chines as early 1 is' 1927^ 12avan??^? &nd producin 9 cipher ma- 

3£ ill’ll - S2i; 

and 1938 by 4e C- 35 V C- 36 C -37 and L P 1935 ' 1936 ' 1937, 

machines were the "letter-subtractn^" «, w' respectively. The C-series 
a huge commercial success M 91 and uhir^H Wh * ch the C-3 8 became 
use during WW II unde^he L en ,i th * U ‘ s * adapted for field 
CSP-1500 (Navy). nomenclature M-209 (Army), [30], and 

duces numerical Ly ? vaVuL” in^th** 3 »• hand “°Perated machine which pro- 

the», modulo 26, the plain vt in JA ° 25 and ^tracts from 

sented by values' 0 to 25 . The Results ari* ^ 2 f } etters are ^epre- 
ters A to Z and printed on a ^ f converted back to the let- 

into short strips and pasted onto a shepf 6 n . Paper tape that can be tom 

the interaction of six pin wheels having Pa p,? r * Key is P rocJ uced by 
and 17 with a 27-bar W in Jh,,h "l l 6ngths 26, 25 ' 23 ' 21, 19, 
placed opposite any of th® wheileV has "i ugs " which can be 
cryptovariables that remain fixed duri™ pnH^ 8 and lug settings are 
crank is operated manually to encipher a lTtte? 6 ” 1 ??* ° f 3 ® essage - A 
rotate so that each bar in turn na.IL Li-** ? causes the cage to 

A lug passing an "active” pin on some current pin of each wheel, 

thus contributing a value of one to > h 1 p . ushes its ba r to the left 
ue is the total number of bar ditS value That is, the key val- 

cage The crank also causes each wheel to adL^ 1 " 9 3 rotation of the 

new pins are ready for the next encinh.^LJ? ^ ° ne P osit ion so that 
feature called the "slide" that cm l £? flJ £* is in add ition a 

of 26 values but which remains fixed durinS -n^ *, operator to any one 
ing equation can therefore be writun 9 DT x«. iphernent * The encipher- 
modulo 26, [81]. itten as PLAIN + CIPHER - KEY + SLIDE, 

well as 9 c-38 versions d for ^othe r 1 a 1 vhabet C models designated BC-38 as 
mixed print wheels (i.e., letters A 7 J LzeS ’ and sone versions with 
to 25 in a scrambled order) , , ? tLL ® associat ed with numbers o 
as were the mixed print wheelsfor Mf? re no J chan geable, however, 
designed a variety ofone-ti.e-ta Da £5 i!!* r “ odels - In add ition, he 
Pher machines, but the c-3 8 was the^rea? and ^^rinfr ci- 
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Appendix V: Electronic Cipher Machines 

should produce^a kev^stream ?or P * rtieS f ° r 3 cipher machine is that it 
chine states* "the? doe°s not cydTT a ° f T** 1 or of n»- 

over. Since it is impossible for a de-trai^^ 3 n °w 4 repeat over and 
the next best thing is for it to ® Lenninistlc machine not to cycle, 
longer than the JStalnuier of charartl 1o "9 cycle, preferably 
before cryptovariables are changed T^tht expected to be enciphered 
cipher machines, which typically 5 eEninSn^ 18 ° ase °f electromechanical 
wheels, long cycles were obt/i ? ank f of wired wheels or pin 

guaranteed this For electronic 2ip h e£ i^chfni" 9 ° f notion that 

registers with feedback logic guarantying 1 li . near feedback shift 
usually employed. 9 guaranteeing maximal cycle lengths are 

**£c*l£r trMnt * tl ° n ° £ the «l«-i«l »odel of 


___ LINEAR FEEDBACK 

I -- 

/ \ 

_ 

{ PLUGGING ) 


1 |<— 


COMBINING 

FUNCTION 


I-> K£Y 

out the contents or*"£* 11 * of the reS?'*-*™ 1 3 Step consists of: reading 
ing them via the plugging for input Kto <' 0nsist K ing . bit.) ; permut? 
then computes the key bit/ calculatina th« function which 

ing each bit one position “or £££?..Woth^ w . blt! and then ■Mft- 
is discarded while the feedback bit fn laf J* . The leftmost bit 
stage if the "feedback function- iS oronpr^ 3 ^ lnt ° the rightmost 
ter fills will run through all possible ? n St ^ ' successive regis- 

ing. It has been found mathematically be . fore re P ea t- 

plish this must be somewhat more complicated tha^th*^ logic . to icon¬ 
ic shown in the example, but that thlS -* th , a 4 n the sinple linear log- 
for every length register that will cause it* feedback functions 
tern except all O's before ^eoeatlnn U ! Lt H produce each n-bit pat- 
is ( 2 ^- 1 . erore ‘ ep eating. In such cases the cycle length 
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manent part of tho Jh® combining furfetion* is -usually a per- 

-looksaTrand^ ^ dM l gnU tp . product „ Vpy ^ < 


» «slsffl^^s(» 4 rSsa -“5 s as 

K??t U 0 ?ore dl“? t “u b lt tW th n key bietr “' 0r ■S.y %ri. t t 0 ioSr t ,r°. 1 ^sSSS', 

could open the door to exploitatTiorT'S? , thlnk avoid weaknesses that 
ence [88] is an excellent soSreo of ( ® n ®? y ^tanalyst. Refer- 

U.s. .lactronlc ciph« el ^Mn S e de C vel°cp B e« f s!" ati0n “ b ° Ut “* hl3t ^ of 
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Appendix Vli: Public Key systems 

ticians*who int.r.'atad* iTIr^otoT A " erlcan nongovernment mathema- 

carrying out researchin' d it ov.?^ M?5od“T ^ t0 extent ° f 
[155] are examples. However, p^liJ yea “'* W' ( 145 3/ and 

1976 with the publication of "New n l ly cane to life in 

and Heilman, [86], although that nanJ^i \ U c t y P t ography" by Diffie 
lier research on the part ff the a nlltl, rn*?* 1 ? the result of ear " 
gy had come to the attention of »^ hors ' (Their interest in cryptolo- 

jected strongly to the 6arlier When HWlSn 

the ideas in "New Directions” 0ne of 

ematicians and computer scientists 1Jnagir J ation ° f many raath- 

thors called "public kev crvntna!?!?,,* world was what the au- 

internally by James Ellis 1^1970 Ph r Li an V 3 ® 3 that had been put forth 
ret encryption". ' ^ 92 ^' under the appellation "nonsec- 

plain E t?x Y t P meTaage" intoTelp”? ly „ “ J? e transformation of a 

classical cryptographic systems the ?® th *< Con J tro1 a key. m 

simple: for instance, the kev 'mv riJSli/ 0r ^?i? ion is . usuall y fairly 

long sequence of "random" numbers which K hS jf ^. rting point in a 

of plain text values, the result beino ** t0 b ® added to the sequence 

decrypt, the same sequent ofvVi qUenCe ° f ° ipher values - To 

point, must be subtracted from th« Hnl 1 ' starting at the same 

quence and the key (starting point B « 3 uence. The random se- 

the sender and the receiver of ihl !, therefore be available to both 

The transformation (addition? is siml5•"tnl* 9 *' but . not to anyone else, 
traction. laaairion) is simple and can easily be undone by sub- 

transformation on^that^fs ^ea^^tS perforS*® th Ch °° re coa P licated 
but can be undone only with a diff«r!?t P v f ^Y ith any specified key 
obviously be related to the encJvnHnn / this decry Ption key mus£ 
transformation should be of such a nature that i-h Th ®, is that the 
cryption and decryption keys is 4 tha1tbh ® elation between en- 

tant amount of Jffic 2 cJlculate one fr^^hf lb “quires an exorbi- 
some secret ingredient of the relation!?? th ^° ther unless one knows 
rithm itself can be made public as T0™«. tO® transformation algo- 
known only to the receiver Sf a message" to fn-h? 8eCret in ^e<iient is 
a message, the recipient chooses an enabie someone to send him 

lated decryption key using the secret key ' calc ulates its re¬ 
relationship, and openly sendl th. that he has abou t the 

sender. The sender (fnd posliblv key to the message 

transformation method andthe e^cSn I" the WOrld) knows tbe 

a message and send it to the receiver J? y and ca ? therefore encrypt 
decrypt it because no one else 


have been found*scOfar!"'*Thesest-known* f ° r public key cryptosystems 
McEllece ^s 

other public key ' a^V^sef 
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sketches of attacks on most of them. Both the RSA and' exponentiation 
systems were invented internally before their public? 'appearances •* c C 

P?oto' riesV had 1 suaaest-* d it essentially the.-RSA system, and'.Rick 
ible°'tLinsVn^^f 9g ^ ex P°n en tiation- scheme as an "irreVers- 
JS 18 n V Coraatio "' prior to Ellis ' P a Pet on nonsecret enc 

- Mq pub li c key cryptosystem has y et be ep- used onerationaiiv. 


A. Knapsacks, [163] 

inn t-h£%S\ apS “ Ck pub i-, ic k *y system is based on the difficulty of solv- 
nf ll0W < lng problem: a large number (perhaps 100 ) of positive in- 
them adHa n ri °- U >f “/l®® are specified, and someone selects a subset of 

DrSblem d iR%n P H i? e i ? tege f? in the subset, and tells you that sum. Your 
problem is to determine which integers were selected for the subset. 

“ n " “y X 

»"d ^l“SSa?dSSSS , ^f subaetf ’ioSSSr 

tern ^o,fi k H le K an J He ^ lman * [163], suggested that a public key cryptosvs- 

SmugZ J 

c b t lo tf: s & c » D 

lo a ™ e er r e C s iP Js n » (a „ bl ° C , k at a tiM > b * fon “ ln 9 **= "°du- 

the recipient can dSmfc!! d 7 is the inverse of x nodulo a; only 

S - Vu» snnin® y because no one else knows x and m. since 
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and ia th «— *— «i«* 

fora "pVocJdurf by^choosuT ST? ona could «•»*> the trans- 

tha b's and anothermulti|l“rrelltivslv „ than the sum ° £ 

c(i) to be the least positive residue of y^hff\ £?•“ ' and taking 
peated as often as desired uar« w? f * Thls could be re- 

ables (the "knapsack numbers") will^et laroS^M? pUblic cryptovari- 
age, and therefore the cipher «». jft, larger and larger, on the aver- 

fact, even a single transformation will result HFS? larger ’ In 
average number of cipher bite over S,eof%&"t.£ C ^Mt?. ° f “* 

B. RSA, [194] 

culty of factoring based on the diffi “ 

laborious but which has ^nnt- V 0 proces ® that is known empirically to be 
difficulty.’ c h .c h aZ k Tc hav 7 “ “ y " p ‘>'= i “«< degree of 

yeare^later^ V<irSi °" ° £ «“ “* ‘mern^ich^i’d nT” 

d b? ita ° aCh) “* ^•^•dtdd^'by 1 thy e re P cVpTent U ”to r be P th nd q perhaps 100 

ables. The recipient also rh nn .« . P18 V b b the secret cryptovari- 

p-1 and q-i. The numbers m=p*q and e^V tha^hl^* 17 Pri “ e t0 b ° th 
To encipher a message, the sender eonvi. public cryptovariables. 
into a sequence of positive integers each i e « * ny convenient means 
each of them to the e-th power moduli?*** 1 than m. He then raises 

powers as cipher. Since the recipient f- and trar \ s ®its the sequence of 
termine the unique nu^er d tor ‘S? *« and q ' he is able to da ’ 

(P“l)*(q-1) l he then raises each Cipher Sumh?y-^ c ° n 9ruent to 1 modulo 

LiV : SStS*-££ 

dtypt the message; the ..sS^^SftSt*^ ^ 

prime numbers large Enough to th# f lt re< * uires one to find 

that each prime ^hJSl^haV ^ Xt is thought 

might seem to a nonmathematician Pf i / ghborh °od of 100 digits. it 

involve a factoring process, St 8U ° h prines would itself 

ger for primality is much easkr 7h*n 1 Testing an inte- 

the appearance of RSA in fact stimulated ually find ing its factors, and 
proved such testing. MlterSJSSJffr id *“ ^^h have in¬ 
flated with using primes of a certain< ?K° Vered weaknesses as- 
finding acceptable ones is somewhat l nro V *4 the RSA s y stem ' so that 
ing large ones. Of course oe^«™Tn conpl 1 icated than merely find- 
large numbers demands either 9 modu } ar arithmetic with such 

specially designed chips. multiple precision computer routines or 

C. Exponentiation, [77] 

C ur^t^ fn °n P '^e it dif^cuQ^ tt o S f ,S f a ^din^ ed loga^itlun^" nt of ^elements G inf finite 
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more recently 


in grout 


the t gener a tor d i s^de fined ° tc^ b* ?h 1 ° garlt ^ of an^lemen^rel^ive^o 

TA-I e raiS6d t0 6qUal the •l-e\t\ ea8t T h ri e 4ar?t^ i ?s SSqffSSS 

selected to h?°3? nti i° n system ' some large finite field GF(p n ) is 

SIS MV 1 TT^ 1 ^ s r^nS.-5-si.s; 

HS ->=K w? * -- PZTMSZ 

^r i -y y li n n d c. 8 Te d a, ’Sj fi w'hVTan <&’ ilc^S 

■jsus 

rithm problem, hcwever^he "l re t0 SOlVG the discrete l°ga- 

and so decrypt tlloaiage^ 8 Uld r6C ° Ver 6 * nd g ' determine d and f, 

noaia 1 ls t *with t coefficients'“in^he field" o“f ?"*. b ® re P resented as P«ly- 
modulo some irreducible DoivnSmfJi ff* ld ® f Integers modulo 2 , reduced 

«« sc 

it re A qutr^ b ttree° £ tr^s»iS?S^ ti ,f l0, i PUbUc *•* cryptosystem is that 
racier “ s^darf in ora.r £r0 f Ben,1 ? r t0 taaaivar, one from 

this, it seems to be suitfb?^ information. Because of 

In fact, when it j ,, y ^ or short and infrequent messages, 

man) proposed it a/ralvTr ul [86]) the authors (Diffie and Hill- 
be used for a conventional cryptograpMc sys^ 9 “* “Wtoverieble. 

finite h f e ie id d e , a anl ^oLntLtlna^^ 3 °" ° n curve over a 

tion at the present time ri6Si 9 Sn? at £ r ? Up i is receivin g so ™ e atten- 
though elliptic Curve.arJtXl' ?°P “ U f h , is known about ib as yet, al- 
factoring aigorithm^ as well ? inte "“iv.ly studied in connection with 
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D. McEliece's System, [162] 

Matrix" £ C o^ed Sy in te ?h B th f C *** ls » * by n 

cipient chooses a k by n generator mLlJ? Way ’ First ' the re ‘ 

contains a dpflnif<nn^ « ~ nstrix G for some Goppa code [ri371 

v??h iSe abinJj correctT errotf ^ fU . rther '“^re^ces for them] 
gular k by k matrix S (one with nr,t 3 ‘t Then he chooses a random nonsin- 

by n permutation 1 matrix* 1 S'."'^The 10 ^trice's °g V^nd^ a rand ° m n 

cryptovariables, and G' is the Sjrix p^ct s^P?^ P “* the S6Cret 

i° y Si^ri^fsstJs to * <* 

ciphers each segment by considerInrr it > P lnt !i” bit se 9® ent s, and en- 
by G-, then garbling t rSdS?y MtS % and “ ult Wng it 

the n-bit cipher serenes c is m^tl where m is th^ *?S UC V J*** is ' 
and e is the "error vector". 6 n “ is the P lain text segment 

inverse 8 « by the 

«eu“ rr be C ing “‘.s ha"^ 1 t? 6 ^ bCrately induced?" the 

o n <": 8 ^ rz'zgjsrz a. v '« 

pending a prohibitive amount of work* deci P her the message without ex- 
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